We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

California enacts new data privacy legislation

California is once again initiating significant changes to protect informational privacy in the digital world. Governor Jerry Brown recently signed several pieces of legislation in an attempt to protect individuals against invasions of privacy connected with personal data collection. California’s new legislation will regulate the collection and use of student data and amend the privacy requirements for businesses who collect personal data.

Over the last ten years, California has passed numerous laws protecting personal data. As recently as 2013, California enacted two laws addressing digital privacy: one regarding how websites respond to citizens who ask the site not to monitor their personal behavioral information and the other relating to the ability for minors under the age of 18 to erase portions of their social media accounts. These laws were the first of their kind in the country and, together with the newly passed legislation, have earned California a reputation for being one of, if not the, most prominent states guarding its citizens’ data privacy.

Student Online Personal Information Protection Act (SOPIPA)

As technology becomes more central to student educational experience, the issue of protecting student personal data becomes more challenging. California’s SOPIPA attempts to balance the benefits of increased technology in education with concerns over abuse and misuse of personal information. SOPIPA makes significant changes to the way personal information of students in grades K-12 can be collected, stored, and used.

Websites, apps, and online services play a significant role in the modern classroom but many of these educational services require, or allow, for student grades, disciplinary history, and other personal information to be stored and analyzed by service providers. These providers often use student data to create new services and products that can be offered to K-12 students. SOPIPA protects student information in two significant ways: 1) operators providing K-12 services may not compile, share, or disclose student information for any reason other than those related to K-12 purposes, and 2) operators may not use student information for targeted advertising or marketing to K-12 students, their parents, or their families.

Notably, the law does carve out an exception for service providers to store anonymous student data to be used solely for the development and maintenance of its own educational products. In essence, the law tries to ensure that student information only be used for school-related purposes.

Recent amendments to California’s data breach notification requirement places new burdens on companies that suffer a breach in their electronic data security system. Previously, California law required only those persons or businesses who owned or licensed personal data to give notice to citizens when their system was breached. Under the new amendments, any business whomaintains computerized data about a California resident must implement “reasonable security procedures,” and if breached they must notify any resident whose information was compromised.

Another major change requires that “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”

Commentators have given considerable attention to the words “if any” found in this provision. Some are concerned that these words may be interpreted to mean that only businesses who previously provided identity theft prevention and mitigation services will be required to continue those services after a data breach. This ambiguity may be left for the judiciary to resolve.

Lastly, the amendments also address how a California resident’s social security number may be used by other people and businesses. Prior to the amendment, a person or entity was prohibited from posting or displaying a citizen’s social security number or doing any act that may compromise the security of an individual’s social security number. Now, in addition to these prohibitions, a social security number may not be sold, offered for sale, or advertised for sale by any person or business. This provision strengthens the protections afforded to California citizens and clearly attempts to restrain the opportunity for identity theft.

Compare jurisdictions:Data Security & Cybercrime

"Lexology is one of the few newsfeeds that I do actually look over as and when it comes in - the information is current; has good descriptive headings so I can see quickly what the articles relate to and is not too long."